The vast majority of unauthorized credentials were presented to computers running antivirus programs from companies including Bitdefender, Eset, and others. Commercial firewall and network security appliances were the second most common source of forged certificates.

Click to expand...

In other words, for the most part it's security products that are breaking HTTPS security, in order to protect users. And network admins are breaking HTTPS in order to prevent employees from wasting time on Facebook

And then we have this:

More troubling, of course, was the discovery of forged certificates issued by malware and adware programs for purposes of ferreting log-in credentials out of, and injecting banner ads into, encrypted Web traffic.

Click to expand...

I am continually amazed by the importance of ads in all this. Given that I never see ads, it's easy to forget how heavily they have dominated Web economics.

I am involved with several very private sites and like Wilder's they issue PRIVATE cert's where we don't have to rely on all the CA ~ Snipped as per TOS ~. I just don't have trust for the "cert authorities" because its tooooooooooo easy to get a bad actor in the mix. The site owner/Admin posts the cert ID at the top of the website with all pertinent fingerprints and then members can set their "watchdog software" to verify the FULL fingerprint before opening the site without fail. That is how I strongly prefer to conduct business and I wish that was how all sites went about it. I know its not going to happen. I am just glad that those I value and feel secure in do proceed that way. My two cents.

Researchers from Facebook and Carnegie Mellon University have published a paper (PDF) in
which they show that out of a sample of over 3 million secure connections to Facebook, 0.2%
used a forged SSL certificate.

The number may seem small, but it is not insignificant, especially given the sheer volume
of HTTPS connections made over the Internet every day.

Yes, but the "vast majority" of that 0.2% were not exploits. They involved "unauthorized" SSL certificates used by anti-malware apps and network firewalls for scanning HTTPS connections.

Even so, it is disturbing. It further demonstrates just how broken HTTPS has become. As Palancar noted, self-signed certificates are the way to go for security. But that's not workable for most Web users.